File Uploads

[RobertP]

I have created a custom cms engine from scratch. Now i wish to add a file manager, how do you think i should go about this. Any security issues i need to look into / add? Any feedback appreciated.

[Pikachu2000]

In case you aren't aware, the tutorial you've linked to in your sig is about 9 years out of date. Actually, pretty much everything on that site is outdated.

[RobertP]

In case you aren't aware, the tutorial you've linked to in your sig is about 9 years out of date. Actually, pretty much everything on that site is outdated.

it helped me a few years ago, and can still help others 

[Pikachu2000]

Deprecated code doesn't help anyone. Well, unless your goal is to write code that will suddenly stop working the next time php is upgraded on your server. In that case it's fine.

 

[RobertP]

lets try to get on-topic??

 

is it possible to execute php/js code with an image extension?

[scootstah]

is it possible to execute php/js code with an image extension?

 

PHP: No, unless you explicitly tell Apache to parse image files as PHP.

 

JS: Possibly, in older browsers.

[thehippy]

The 'name' and 'type' attributes from $_FILES are provided from the client, so you'll need to treat those as user input and filter/validate them.  I would say that common/safe practice would be to ignore them both and use your own naming and do some detection on the type.  The 'name' attribute can be a bit nefarious, the client could provide '../../etc/passwd' as the name for instance and that's definitely not a file you want to write to.  And of course using some kind of antivirus on the server to scan incoming files is common sense.  Microsoft in particular has had some buffer overflow issues with their image libraries and an AV scanner should detect those, not something you want to be redistributing from your site.

[RobertP]

about scanning the file, and php application that can help, or do i need something external; and if external, cross-platform friendly?

[RobertP]

how reliable are these functions?

 

function getFileExt($file){
$vars = explode('.',$file);
return $vars[count($vars)-1];
}

function getFileType($file){
$handler = new finfo;
return $handler->file($file,FILEINFO_MIME_TYPE);
}

[scootstah]

You can get the file extension like this:

echo pathinfo($filename, PATHINFO_EXTENSION);

[RobertP]

thank you for the tip.

 

how do i scan files for viruses and other malware?

[thehippy]

Invoke external command line AV scanner, clamav for instance or one of the many out there, commercial or not they usually have a command line interface.  There are a couple of bindings I know for PHP but those are maintained poorly/not updated, so its best just to hand it off to the CLI.

[scootstah]

Keep in mind that if this is a CMS to be distributed publicly, an AV scanner is probably not going to work out. Number 1 that's probably going to consume a lot of resources and shared hosts get grumpy about that, and Number 2 unless you build an AV to include with your project, you can't guarantee every hosting setup has an AV that works in the same way.

[thehippy]

If you knowingly do not put any protections in place to verify the threat of the files, it would make your site a distributor of viruses and depending on your location and the location of your users can be a criminal offence, be sure to consult your lawyer to come up with a licence agreement to mitigate your liability and warn your users of the risk.

[RobertP]

thank you all very much, i have decided to create a av-scan module via the cli configurable of course